Mechanism for efficient private bulk messaging

ABSTRACT

Secure bulk messaging mechanism in which, roughly described, a sender first encrypts a message once. The message can be decrypted with a message decryption key. These can be symmetric or asymmetric keys. For each recipient, the sender then encrypts the message decryption key with the recipient&#39;s public key. The sender then sends the encrypted message and the encrypted message decryption keys to a store-and-forward server. Subsequently, one or more recipients connect to the server and retrieve the encrypted message and the message encryption key that has been encrypted with the recipient&#39;s public key. Alternatively, the server can forward these items to each individual recipient. The recipient then decrypts the encrypted message decryption key with the recipient&#39;s private key, resulting in an un-encrypted message decryption key. The recipient then decrypts the message using the un-encrypted message decryption key.

This application is a continuation of U.S. patent application Ser. No.13/717,297 filed on Dec. 17, 2012, which is a continuation of U.S.patent application Ser. No. 11/107,679, filed Apr. 15, 2005, which is inturn a continuation of U.S. patent application Ser. No. 09/792,949,entitled “Mechanism for Efficient Private Bulk Messaging” filed Feb. 26,2001, now U.S. Pat. No. 6,912,285, which in turn claims priority of U.S.Provisional Patent Application No. 60/184,785, filed Feb. 24, 2000. Eachof the foregoing applications is incorporated herein by reference.

BACKGROUND

1. Field of the Invention

The invention relates to secure transmission of documents, and moreparticularly, to transmission of documents to a large number ofrecipients, securely and efficiently.

2. Description of Related Art

The Internet and corporate networks have made the transmission ofdocuments and messages via e-mail commonplace. Bulk messaging has alsobecome commonplace, such as for advertising and promotional purposes.For bulk messaging, typically a user on one computer composes a messageand addresses it to an e-mail group. The message is transmitted to aserver, which substitutes the individual addresses of all the targetrecipients in the group, which may number in the thousands, andtransmits the message individually to each target recipient.

Unlike advertising and promotional uses, many businesses require thattheir communications take place securely. When messages are to betransmitted across an insecure network, such as the Internet, securityis typically accomplished by encrypting the message in a manner that canbe decrypted only with knowledge of a decryption key. Since only theintended recipient is expected to have the decryption key, only thatrecipient will be able to open the message and view its contents.Encryption may be performed using a symmetrical encryption algorithm, inwhich the encryption key matches the decryption key, or by an asymmetricalgorithm, in which the encryption key is different from the decryptionkey. One popular form of asymmetric encryption is public/private keyencryption, described in “Public-key Cryptography Standards,” RSA DataSecurity, Inc. (1991), and in Rivest U.S. Pat. No. 4,405,829, bothincorporated by reference herein.

According to the public/private key crypto system, each target recipienthas both a private key that only the recipient knows, and a public keythat is publicly available. When a sender desires to send a messagesecurely to one of the target recipients, the sender encrypts themessage using the target recipient's public key. Only the targetrecipient then is able to open the message and view its contents.

Secure messaging becomes problematical when the sender desires to sendthe message to a large number of target recipients. If a public/privatekey cryptosystem is to be used, then the sender must encrypt the messageN times, once using the public key of each of the N target recipients,and then send the message separately to each of the target recipients.If the document to be transmitted is large, and/or if N is in thethousands, this can be a formidable task. The encryption part of thetask can be minimized if all of the target recipients share a singledecryption key, because then the sender need encrypt the message onlyonce. But the need for all recipients to have the decryption key posesrisks both in the transmission and in the storage of the key. Thissolution also does not overcome the need for the sender to transmit themessage separately, once to each of the N target recipients.

Accordingly, there is a need for a more efficient mechanism for securebulk transmission of messages.

SUMMARY OF THE INVENTION

According to the invention, roughly described, a sender first encryptsthe message once. The message can be decrypted with a message decryptionkey. These can be symmetric or asymmetric keys. For each recipient, thesender then encrypts the message decryption key with the recipient'spublic key. The sender then sends the encrypted message and theencrypted message decryption keys to a store-and-forward server.Subsequently, one or more recipients connect to the server and retrievethe encrypted message and the message encryption key that has beenencrypted with the recipient's public key. Alternatively, the server canforward these items to each individual recipient. The recipient thendecrypts the encrypted message decryption key with the recipient'sprivate key, resulting in an un-encrypted message decryption key. Therecipient then decrypts the message using the un-encrypted messagedecryption key.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will be described with respect to particular embodimentsthereof, and reference will be made to the drawings, in which:

FIG. 1 is a block diagram of a system incorporating the invention.

FIG. 2 is a flowchart of basic steps undertaken by a sender intransmitting a secure bulk message using the arrangement of FIG. 1.

FIG. 3 is a flowchart illustrating the process undertaken by a recipientto retrieve and open the message.

FIG. 4 illustrates a format by which an encrypted message and theencrypted decryption keys are stored on the server of FIG. 1.

DETAILED DESCRIPTION

FIG. 1 is a block diagram of a system incorporating the invention. Itcomprises a sender 110, which sends the encrypted message and encryptedmessage decryption keys to a server 112, which can then be accessed byeach of N target recipients 114-1, 114-2, 114-3, . . . 114-N(collectively, target recipients 114). One or more of the transmissionpaths from the sender 110 to the server 112 or from the server 112 tothe recipients 114 are potentially insecure. As used herein, the term“message” is intended to be read broadly to include all kinds ofinformation that might be transmitted, such as e-mail messages,documents, financial transactions, and so on. Also as used herein, theserver 112 need not be limited to a single computer. It can includemultiple computers which need not even be located physically together.

FIG. 2 is a flowchart of the basic steps undertaken by the sender intransmitting a secure bulk message using the arrangement of FIG. 1. Instep 210, the sender first creates the message to be sent. In step 212,the sender encrypts the message. As mentioned, encryption at this stagecan be either by a symmetric or an asymmetric encryption algorithm.Although there are many examples of acceptable encryption algorithms,one common symmetric algorithm is that described in National Institutesof Standards and Technology, “Data Encryption Standard,” FIPSPublication No. 46-1 (January 1988) (hereinafter “DES”), incorporated byreference herein. The encryption process in step 212 can be reversedusing a message decryption key known by the sender.

In step 214, the sender encrypts the message decryption key N times—onceusing the public key of each of the N target recipients. This yields Nencrypted message decryption keys. In step 216, the sender sends theencrypted message, the addresses of the target recipients, and the listof encrypted message decryption keys to the server 112. It will beappreciated that one of the target recipients could be a third-partymonitor, such as a government agency that is permitted to view themessage if required by law.

Optionally, the sender can also send to the server 112 (or the serveritself generate) a digital signature protecting all of the encrypteddecryption keys associated with a particular encrypted message. The listof encrypted decryption keys thereafter cannot be tampered with withoutbeing detectable by reference to the digital signature. A digitalsignature is created by digesting the list, or significant portions ofthe list, using a well-known digesting algorithm, and then encryptingthe digest with the sender's (or server's) private key of apublic/private pair. In order to check for tampering, an auditor repeatsthe digesting of the list of encrypted decryption keys, to form a newdigest, and then decrypts the digital signature using the sender's (orthe server's) public key, to recover the original digest, and thencompares the two for equality. A satisfactory digesting algorithm isthat describe in R. Rivest, “MD5 Message-Digest Algorithm”, InternetEngineering Task Force RFC No. 1321 (April 1992), incorporated byreference herein.

On the server 112, the encrypted message and the encrypted decryptionkeys are stored as illustrated in FIG. 4. The encrypted message isstored at 410. In conjunction with the encrypted message 410, the serverstores each of the encrypted decryption keys 412-1, 412-2, . . . ,412-N.One of the encrypted decryption keys can, as mentioned above, optionallybe a monitor's decryption key 414. Optionally also stored in conjunctionwith the encrypted message 410, is a digital signature 416 protectingthe list of encrypted decryption keys. The elements illustrated in FIG.4 may be stored all in one contiguous region of computer-readablememory, or across discontiguous regions, or across discontiguous regionsof multiple computer-readable media.

In one embodiment, the server maintains a document management systemwhich not only stores multiple encrypted messages and their associatedencrypted decryption keys, but also provides logical and structuredrestricted access to the various items by individual senders andindividual recipients. For example, one such document management systemallows senders to change the message stored on the server 112, while notallowing other senders to do so and while not allowing any recipient todo so. Another such document management system allows senders to add,delete or change entries in the list of encrypted decryption keys formessages that were transmitted by the sender, while not allowing suchmodifications by other senders or by any recipient. Yet another suchdocument management system, when accessed by a particular recipient,shows the recipient only those messages on which the particularrecipient is identified as a target recipient, hiding any messages forwhich there is no encrypted decryption key for the particular recipient.

FIG. 3 is a flowchart illustrating the process undertaken by a recipientto retrieve and open the message. In step 310, the recipient accessesthe server 112, and in step 312, the recipient downloads the encryptedmessage and at least the particular recipient's encrypted messagedecryption key 412. Alternatively, the server 112 can forward theseitems to the recipient without awaiting action from the recipient. Instep 314, the particular recipient decrypts the recipient's encryptedmessage decryption key, yielding an unencrypted message decryption key.In step 316, the recipient decrypts and views the encrypted messageusing the now-unencrypted message decryption key.

It will be appreciated that the above-described mechanism is capable ofmany variations. As one example, in step 216, the sending of theencrypted message and list of encrypted message decryption keys need nottake place in a single transmission. Some of all of the encryptedmessage decryption keys can be sent earlier or later than the encryptedmessage.

As another example, encrypted decryption keys could be bundled into themessage and the single message with the encrypted decryption keys couldbe broadcast to all recipients without compromising the security of themechanism.

As yet another example, public and private keys for encrypting thedecryption keys could be replaced with symmetric private keys withoutaffecting the security or efficiency of the mechanism.

As still another example, server 112 could be eliminated and the messagewith the encrypted decryption keys could be broadcast to all recipientsand any other listeners, and only the target recipients will be able todecrypt the message and the security of the mechanism is notcompromised.

As yet another example, for one or more of the target recipients, thesender can multiply encrypt the recipient's message decryption key,thereby requiring multiple entities to be involved in the decryption ofthe message decryption key. For example, the sender may first encryptthe message decryption key with the target recipient's public key,yielding a “partially-encrypted” message decryption key. The sender maythen re-encrypt the partially- encrypted message decryption key, usingthe public key of an authorizer, thus yielding the final encryptedmessage decryption key. Upon receipt of the message, the recipient firsthas the encrypted decryption key decrypted by the authorizer, using theauthorizer's private key. This recovers the partially-encrypted messagedecryption key. The recipient then decrypts the partially-encryptedmessage decryption key, using the recipient's private key, thus yieldingthe un-encrypted message decryption key. Alternatively, the order ofencryption for the multiple parties can be reversed, as long as thedecryption sequence takes place in the same order as the encryptionsequence.

The foregoing description of preferred embodiments of the presentinvention has been provided for the purposes of illustration anddescription. It is not intended to be exhaustive or to limit theinvention to the precise forms disclosed. Obviously, many modificationsand variations will be apparent to practitioners skilled in this art.Inparticular, and without limitation, any and all variations described,suggested or incorporated by reference in the Background section of thispatent application are specifically incorporated by reference into thedescription herein of embodiments of the invention. The embodimentsdescribed herein were chosen and described in order to best explain theprinciples of the invention and its practical application, therebyenabling others skilled in the art to understand the invention forvarious embodiments and with various modifications as are suited to theparticular use contemplated. It is intended that the scope of theinvention be defined by the following claims and their equivalents.

The invention claimed is:
 1. A document management system comprising: aserver coupled into a transmission path between a sender and targetrecipients to receive from the sender and to provide to at least some ofthe target recipients a message, wherein the provided message isencrypted at least for storage at the server using a sender key and isdecryptable using a corresponding message decryption key that is, inturn, separately encrypted for each of the target recipients usingrespective encryption keys associated with the target recipientsthemselves, thereby resulting in a plurality of recipient-associatedencrypted decryption keys; the sender providing a digital signature anda list of recipient-associated encrypted decryption keys to the server,wherein the sender digests at least a portion of the list, but not themessage itself, to form a digest and encrypts the digest with thesender's private key of a public-private pair to create the digitalsignature; the server providing each of the target recipients with atleast a respective one of the recipient-associated encrypted decryptionkeys for decryption by the respective target recipient to recover theunderlying message decryption key and to thereby provide the respectivetarget recipient with access to the encrypted message.
 2. The documentmanagement system of claim 1, wherein responsive to the sender, theserver changes the underlying message stored at the server, but not therecipient-associated encrypted decryption keys themselves or the senderkey itself which remain unchanged.
 3. The document management system ofclaim 2, wherein the sender sends the recipient-associated encrypteddecryption keys to the server for inclusion in a list of authorizedencrypted decryption keys, and wherein the underlying message ischanged, but not the list of authorized encrypted decryption keysthemselves which remain unchanged.
 4. The document management system ofclaim 2, wherein the changed message is encrypted at least for storageat the server using the sender key.
 5. The document management system ofclaim 4, wherein the sender provides a first recipient-associatedencrypted decryption key of the plurality of recipient-associatedencrypted decryption keys to a first recipient.
 6. The documentmanagement system of claim 5, wherein the first target recipientretrieves the encrypted changed message and the firstrecipient-associated encrypted decryption key from the server.
 7. Thedocument management system of claim 6, wherein the first targetrecipient decrypts the first recipient-associated encrypted decryptionkey to recover the first underlying message decryption key.
 8. Thedocument management system of claim 7, wherein the first targetrecipient decrypts the encrypted changed message using the firstrecovered message decryption key.
 9. The document management system ofclaim 8, wherein the sender provides a second recipient-associatedencrypted decryption key of the plurality of recipient-associatedencrypted decryption keys to a second target recipient.
 10. The documentmanagement system of claim 9, wherein the second target recipientretrieves the encrypted changed message and the secondrecipient-associated encrypted decryption key from the server.
 11. Thedocument management system of claim 10, wherein the second targetrecipient decrypts the second recipient-associated encrypted decryptionkey to recover the second underlying message decryption key.
 12. Thedocument management system of claim 11, wherein the second targetrecipient decrypts the encrypted changed message provided by the server.13. The document management system of claim 12, wherein the secondtarget recipient decrypts the encrypted changed message using the secondrecovered message decryption key.
 14. The document management system ofclaim 1, wherein the message is an e-mail message.
 15. The documentmanagement system of claim 1, wherein the message is a document.
 16. Thedocument management system of claim 1, wherein the server does not allowthe target recipients to change the underlying message.
 17. The documentmanagement system of claim 1, wherein the digital signature is notdependent on the message.
 18. The document management system of claim 1,wherein the recipient-associated encrypted decryption keys in the listare stored separate from the encrypted message.
 19. The documentmanagement system of claim 1, comprising: an auditor that decrypts thedigital signature using the sender's public key of the public-privatepair to recover a second digest and compares the first digest to thesecond digest, wherein the server provides each of the target recipientswith at least the respective one of the recipient-associated encrypteddecryption keys if the first and second digests are the same.
 20. Thedocument management system of claim 1, wherein the server packages theencrypted message and the recipient-associated encrypted decryption keysinto a single message and broadcasts the single message to the targetrecipients and at least one recipient that is not a target recipient ofthe message.